S 2.27 Maintenance of a PBX system
Initiation responsibility: PBX System Manager, IT Security Officer, Head of IT
Implementation responsibility: Administrator
A PBX system has a maintenance unit which can be used for configuration and administration of the PBX system. With older systems this can be a special piece of hardware, with more recent systems it is usually a control program. Depending on the particular PBX system, this unit can be accessed by different means from the outside, for example:
- via a system phone, i.e. an end device with extended functionality compared to normal end devices
- via a local computer connected to the telephone system (e.g. via RS232, USB, Ethernet)
- via a computer in the LAN which has special administrator software installed, if the PBX system is also connected to the LAN
- via a browser of a computer in the LAN, if the PBX system is also connected to the LAN
In case of an IP system connection where the PBX system is physically located at an external provider, the PBX system is generally administrated via a browser.
The maintenance unit should be configured so that only dedicated maintenance computers have access to it. For example by only allowing IT systems with permanently assigned IP addresses to communicate with the maintenance unit. Connection attempts by other IT systems should be rejected. In addition, the access to the maintenance computers should be restricted. To achieve this, they could, for example, be installed in a separate security area which cannot be accessed by unauthorised persons.
In general, access to the maintenance unit should only be possible after successful authentication. If possible, the data connection between the devices used for maintenance and the maintenance unit should be encrypted, unless the connection is used exclusively for this purpose (e.g. if using a serial cable). The devices used for maintenance and configuration of the PBX system must be protected by passwords or PINs. In this connection, S 2.11 Provisions governing the use of passwords must also be taken into consideration. Not only internal, but also external maintenance staff must authenticate themselves.
The maintenance of a PBX system should be carried out by employees with relevant knowledge, trained administrators for example. If the existing employees do not have the knowledge required for optimal maintenance and administration and if it is not possible to train them within a reasonable amount of time, commissioning external experts should be considered.
Regardless of who is responsible for maintenance of the PBX system, safeguard S 2.4 Maintenance / repair regulations must be taken into consideration additionally.
Remote maintenance
Under certain circumstances, configuration and maintenance of the PBX system by third parties, such as external experts, may be required. If administration is made via a data network, a communication connection to the PBX system is required for this. If the PBX system is connected to the organisation's local network, an attacker may be able to access the PBX system as well as the LAN. Therefore, the access points must be secured. This can be done as follows:
If external experts are to be commissioned with the maintenance and repair works corresponding rules must be specified. These should cover, for example, the supervision of external persons during their work and the handling of equipment which is sent in for repair. For additional information see S 2.4 Maintenance / repair regulations. In general, remote maintenance may cause numerous security problem. In order to reduce these, it is necessary to secure the remote maintenance access. Possible security functions for this are described in S 5.33 Secure remote maintenance. In case of IP-based access via public networks, the data connection should be secured and encrypted, for example, with Secure Shell (SSH) or via a Virtual Private Network (VPN).
Review questions:
- Are the maintenance access points of the PBX system protected against unauthorised use by means of technical and organisational safeguards?
- Are only maintenance computers able to communicate with the maintenance unit of the PBX system?
- Are the devices for maintenance and configuration of PBX systems protected by passwords and/or PINs?
- Is the data connection encrypted in case of IP-based access to the PBX system?